PRIVACY POLICY

WHO ARE WE?

Ark Sp. z o.o. with its registered address: ul. Jacka Soplicy 30, 70-396 Szczecin NIP: 8522700321, REGON: 526712360, KRS: 0001064632, further referred to as “the Company” or “we”.

This Privacy Policy (“Policy”) explains how the Company collects, uses, shares, and protects personal data in connection with the ArkLabs platform ("Platform"). This Policy does not apply to websites / subpages that post different statements. It distinguishes between two distinct roles under the General Data Protection Regulation (GDPR):

  1. As Data Controller for personal data collected during user account creation and login,
  2. As Data Processor for personal data that you, the Customer includes in prompts submitted to AI models, available via API credentials.

CONTACT

For data protection matters, please contact us at: [email protected].

DATA COLLECTED AND ROLES OF THE COMPANY

  1. CONTROLLER

    As Data Controller we process the following personal data:

    1. Google account email address,
    2. Google ID token,
    3. Name and profile picture (if accessible),
    4. IP address, session data, and usage logs (for security and billing purposes)
    5. Billing information (e.g., full name, company name, billing address, VAT number, transaction identifiers, and purchase history).

    Purpose of processing: To register and manage user accounts, authenticate sessions via Google OAuth, manage API keys, generate invoices, track usage and purchases, communicate service changes, and ensure platform security.

    Legal basis:

    Art. 6(1)(b) GDPR – performance of a contract,

    Art. 6(1)(c) GDPR – compliance with a legal obligation (tax and accounting laws),

    Art. 6(1)(f) GDPR – legitimate interest in platform administration and security.

    Providing these personal data is voluntary, however necessary for the Account registration.

    The personal data above are processed for the duration of the Service provision and retained thereafter for the period necessary to establish, exercise, or defend legal claims, in accordance with applicable limitation periods.

    In case you contact us via contact form we process name, surname, e-mail address, phone number, name of the organisation that you are affiliated with and any other data you provide voluntary when you contact us via contact forms or in other ways (e-mail, phone, correspondence). In such event, we process your data to:

    1. answer all your questions and requests sent through the electronic forms and using contact addresses published on the Platform, including interactive windows (Article 6 point 1 f) GDPR),
    2. communicate and provide commercial or marketing information (tutorials, articles, updates) eg via newsletter on the basis of your voluntary consent (Article 6 point 1 a) GDPR),
    3. establish cooperation with you or your company, including verification of your data and preparation of an offer at your request to enter into a cooperation with us (Article 6 point 1 b) GDPR).
  2. PROCESSOR

    When Customers submit input to AI models via the Platform (e.g., prompts, images, documents, questions), the contents may contain some personal data, upon Customer's sole control. We do not require, encourage, or permit the submission of personal data, and expressly prohibit the submission of special category data (e.g., health, ethnicity, religion, biometric or genetic data). However, we do not have control over the content of the prompts that Customers provide, nor scope of personal data provided (if any).

    In case the Customer wishes to enter personal data intro prompts, we ask you to contact us in order to conclude data processing agreement.

    Our role in such an event: We act as a data processor on behalf of the Customer (who is the controller of the input data).

    Customer responsibilities: Users are responsible for ensuring they have a lawful basis for processing any personal data submitted through the Platform and for providing appropriate privacy notices to any data subjects whose data they input.

    Data retention: Prompt and output data are not stored or logged by default. Temporary caching may occur for technical processing, but all content is automatically deleted after inference unless otherwise agreed.

    Use of outputs: Customers are solely responsible for verifying and evaluating the AI-generated outputs. These may contain inaccurate, biased, or outdated content.

RECIPIENTS OF DATA

Your personal data included in the prompts are not shared with any third parties. All content is automatically deleted after inference unless otherwise agreed.

Your personal data that we process as a Controller may be shared with the following trusted third parties:

  1. external entities providing services to the Data Controller, such as accounting, legal, IT, hosting,
  2. our trusted co-workers and contractors,
  3. payment operators - to process payments.

In addition, personal data may also be transferred to public or private entities if such an obligation arises from generally applicable laws, a final court judgment or a final administrative decision.

The purpose and scope of data collection, further processing and use of data by some third parties, as well as the associated rights of users and setting options for protecting privacy, are described in the privacy policy information of the respective provider. The company has no control over, and is not responsible for, the privacy policies and practices of third parties.

THIRD PARTY SERVICES

Stripe is used for payment processing. Stripe may collect payment-related data directly from Customers under its own privacy policy that can be found here.

Google provides authentication via OAuth. Your login data is processed through Google's secure login infrastructure.

TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

Your personal data may be transferred outside the European Economic Area (EEA) to a third party country, to entities fulfilling a required protection level based on the European Commission requirements. If there is any transfer of data from EEA to other countries, data processors shall comply with the law regulations that ensure an adequate level of security to that of the EU regulations. For example, in order to use Google, Personal Data may be transferred outside the European Economic Area (EEA), specifically to the United States. These entities guarantee an adequate level of personal data protection as required by European regulations. If personal data is transferred to a third country that does not comply with EC requirements, any processing will be based on up-to-date standard contractual clauses approved by the European Commission. Information and copy of safeguards including such standard contractual clauses may be provided at the Company’s registered office or via e-mail.

YOUR RIGHTS

If the Company processes your data, you have the right to:

  1. request the data
  2. rectify the data,
  3. restrict the processing of the data,
  4. erase the data,
  5. transfer the data,
  6. object to the processing of data that takes place on the basis of the Company’s legitimate interest,
  7. withdraw your consent (where processing is based on consent) at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

The users whose data are processed have the right to lodge a complaint with the adequate supervisory body e.g. in Poland to the President of the Office for Personal Data Protection.

SECURITY OF YOUR PERSONAL DATA

We take steps to help protect personal data. All personal data provided to us is stored on secure servers and guarded by strict procedures and well-trained staff. The Company processes personal data with due diligence when selecting and applying appropriate technical and organizational measures.

Taking into consideration the protection of your rights, personal data is:

  1. processed lawfully, fairly and in a transparent manner,
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, in accordance with the principle of data minimization,
  4. accurate and, where necessary, kept up to date,
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed,
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

We take all necessary actions to ensure that subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Company.

We do not engage in profiling or any automated decision-making processes that would produce legal or similarly significant effects on Customers within the meaning of Article 22 GDPR.

CHANGES TO THIS POLICY

This Policy is regularly reviewed and updated as necessary. We reserve the right to change this Policy and, if we make any changes, we will change the last updated date below.

This Policy was last updated on 01/07/2025.